Bandit Level 22 Walkthrough

Level 21 ➔ Level 22: Investigating Automated Cron Jobs

1. My Objective

I am currently logged in as bandit21. My mission is to find the password for Level 22. The hint tells me that a program is running automatically at regular intervals using Cron. I need to look into /etc/cron.d/ to find the configuration and see what exactly this automated program is doing.

The Hidden Clue: Somewhere on this server, a script is waking up, doing some work (like copying a password), and going back to sleep. I need to find the "Instructions" that tell this script when to wake up and where it puts its work.

2. The Feynman Explanation: The Digital Alarm Clock

How does a computer do things while you are sleeping? It uses a service called Cron.

The Robot Assistant Analogy:

Imagine I have a very punctual Robot Assistant. I don't want to tell him what to do every minute. Instead, I leave a Note (the Cron configuration) on the kitchen counter (/etc/cron.d/).

The note says: "Every day at 8:00 AM, take the mail from the mailbox and put it under the rug."

If I am a stranger wanting to steal that mail, I don't need to break into the mailbox. I just need to find that Note on the counter. Once I read the note, I know exactly where the robot is hiding the mail (under the rug). In Linux, the "note" is the cron file, and the "rug" is a temporary file in /tmp.

3. Practical Solution

I start by listing the files in the system's cron directory to see which jobs are active.

# Step 1: List the cron configurations
bandit21@bandit:~$ ls /etc/cron.d/
cronjob_bandit22 cronjob_bandit23 ...

# Step 2: Read the 'note' for bandit22
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

# Step 3: Now I know the robot is running a script. Let's see what that script does!
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
cat /etc/bandit_pass/bandit22 > /tmp/t7O6TAB9u7SGTs9s7SAb36906sV

# Step 4: The script is 'hiding the mail under the rug' in /tmp. Let's grab it!
bandit21@bandit:~$ cat /tmp/t7O6TAB9u7SGTs9s7SAb36906sV
Y9Y0Ng6pE6vSAr4S019SAb36906sV... (Password Revealed!)

How did I solve it?

I followed the trail. The file in /etc/cron.d/ told me that every minute (* * * * *), the user bandit22 runs a shell script. I read that shell script and saw it was taking the password for the next level and copying it into a publicly readable file in the /tmp directory. All I had to do was cat that temporary file.

🚀 My Pro Tips: Understanding Cron

✨ The Five Stars (* * * * *)

In a cron file, the stars represent: Minute, Hour, Day of Month, Month, and Day of Week. If I see * * * * *, it means the task runs every single minute. If I saw 0 0 * * *, it would only run at midnight every day.

⭐ Crontab vs. Cron.d

Users usually edit their own schedules using the crontab -e command. However, system-wide automated tasks are kept as flat files in /etc/cron.d/. These files are readable by anyone, which makes them a goldmine for finding "secrets" or misconfigurations.

🔍 Checking Script Permissions

If I couldn't read the script in /usr/bin, I would check its permissions with ls -l. Fortunately, most scripts like this are readable even if they aren't executable by me.

4. Why this matters

In the real world, system administrators use Cron for everything: backups, log rotations, and security scans. However, if a script is poorly written—like one that saves a backup to a world-readable folder—it creates a massive security hole. Learning to audit these automated tasks is a core skill for any security professional or Linux admin.

Automated Secret Found!

I've successfully intercepted the scheduled task's output. I'll save this password and move on to Level 22 ➔ Level 23, where the cron job becomes even more clever!

Tags: #Linux #Bandit #OverTheWire #Cron #Automation #Crontab #SystemAdmin #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips